Europeans may leave U.S. cloud companies even faster after most recent espionage revelations, but where they could go is a tough question

InfoWorld|Jan 27, 2014

The latest wave of revelations about NSA spying may leave U.S. cloud providers with a black eye if many of their European customers decide to bail.

Edward Snowden's most recent claim, via an interview given for German television, is that the NSA conducts industrial espionage, routinely collecting information from non-U.S. companies that have little apparent intelligence value.

Such details are likely to make non-U.S. companies all the more skittish about storing their data in clouds run by U.S. companies. In fact, the backlash may already be well underway to move to non-U.S. cloud companies whenever possible.

In the interview, Snowden was asked if German engineering conglomerate Siemens AG was one of the NSA's espionage targets. Snowden's reply, according to International Business Times, was that "the agency would take information even though it was not related to national security concerns."

It's possible Siemens did constitute a legitimate intelligence-gathering target in the NSA's eyes -- especially after many of its customers were hit with the Stuxnet worm, which seemed specifically designed (by whom is another story) to target Siemens's industrial automation software. (Siemens did not respond immediately to a request for comment.)

Some cloud companies are already girding to avoid losing business, if they have any say in the matter. Microsoft's top counsel, Brad Smith, stated that Microsoft plans to let its customers choose the country where their data is stored. (Microsoft was invited to comment directly for this article, but declined.)

But defraying worries about spying can't be accomplished by as simple an action as moving data offshore. U.S. law requires that any service provider that falls under U.S. jurisdiction must comply with NSA data requests, no matter where the data is held geographically. Consequently, European regulators have expressed concern that U.S. legislation, such as FISA, might pose a greater risk to data protection than any of Europe's own policies.

The long-term answer for non-U.S. customers, then, may be cloud firms founded and run by non-U.S. companies. But that raises even more questions: Who to replace them with, and where would they be from? Mikko Hypponen of Finnish security firm F-Secure has pointed out how in such a situation it's "good to be a solution provider coming from a fairly neutral country" -- that is, not the United States, nor Europe, but neither in China, Russia, or Israel. That narrows the list a great deal.

What's more, the problem with not doing business with any U.S.-based cloud firms is that it severely limits both the choices and the technologies available. Amazon, Microsoft, and all the other U.S.-based name-brand cloud companies have massive market share on their side. While it's possible to eschew them, not just by using a non-U.S. company but also by building one's own cloud infrastructure, it also ups the inconvenience and difficulty.

Another possible balm -- hinted at indirectly through President Obama's recent speech on the NSA's spy programs -- would be to allow U.S. companies to be more forthright about NSA data requests. But the enactment of any such measures is still a ways off, and an exodus may already be in motion.